An island hopping attack is a hacking campaign in which threat actors target an organization's more vulnerable third-party partners to undermine the target company's cybersecurity defenses and gain access to their network. A threat actor is an entity that is partially or completely responsible for an incident that affects -- or has the potential to affect -- an organization's security system.
Threat actors targeting large organizations -- even ones with effective cybersecurity defenses -- will go to any length to get in. If the targeted organization has strong cybersecurity practices, then attackers will utilize island hopping attacks and exploit the business's intermediaries to penetrate the original organization's secure systems.
Island hopping attacks have become increasingly popular. Threat actors are using the technique to compromise network systems between multiple companies and steal their digital assets. The industries most affected by island hopping attacks include finance, healthcare, manufacturing and retail.
Island hopping cyberattacks and third-party access
The term island hopping comes from the military strategy employed by the Allies in the Pacific theater against the Axis powers during World War II. The strategy involved having the Allies take over an island and use it as a launching point for the attack and takeover of another island. The mission was first put into motion in August 1942 in Guadalcanal in the Solomon Islands.
In cybersecurity, island hopping attackers target customers and smaller companies that work with the victim organization, assuming that these more minor entities' cyberdefense systems are not as extensive as the ultimate target.
Similarly, if an organization is known to order food from the same website, threat actors may stage a watering hole attack, where they target that site -- knowing that members of the organization visit it -- as a way to gain access to the company's network.
How do they work?
Island hopping attacks often begin through phishing, where the attackers disguise themselves as a reputable entity in an email or other communication channel. Trusted brands -- such as Facebook and Apple support -- are often used in phishing attacks as a first step.
Another common method is known as network-based island hopping, in which attackers infiltrate one network and use it to hop onto an affiliate network. For example, attackers will target an organization's managed security service provider (MSSP) to move through their network connections.
In another technique known as a reverse business email compromise, attackers take over the mail server of their victim company and use fileless malware attacks from there. Fileless malware attacks use applications that are already installed and thought to be safe. As such, fileless malware attacks do not need to install malicious software or files to initiate an attack. Reverse business email compromise attacks often target the financial sector.
Why do attackers use island hopping attacks?
Primary motivations for island hopping attacks include criminal activities, such as ransomware attacks and cryptojacking. For example, in 2013, hackers targeted the heating, ventilation and air conditioning (HVAC) service partner of retail giant Target. Target suffered a massive security breach in which the payment data of more than 40 million customers was stolen.
As was the case with Target, attackers take advantage of smaller partner companies because they typically cannot afford the same level of cybersecurity as the bigger organizations. Moreover, because the smaller systems are already trusted by the larger company, they are less likely to be noticed when compromised, making it easier for the attack to spread to the organization's network.
Island hopping defense strategies
Island hopping defense strategies include the following:
- Assess third-party risks.
- Create an incident response plan and a team that is funded and has the right tools to defend the network.
- Require that suppliers use the same preferred MSSP and technology stack as the organization.
- Have an incident response third party on retainer.
- Use correct network segmentationso contractors don't get access to all of the servers, just the server they need to work on.
- Use multifactor authentication (MFA).
- Focus on lateral movement -- in which attackers move through a network, searching for key assets and data -- and credential theft.
How rampant are island hopping cyberattacks?
According to the VMware cybersecurity company Carbon Black's November 2019 Global Incident Response Threat Report, island hopping accounts for 41% of total cyberattacks -- up 5% since the first half of 2019. Lateral movement is steady at 67% of attacks -- well above 2018 averages. In the same report, Carbon Black found that attackers are selling island hopping access to compromised systems, often without the target realizing they are exposed.
Custom malware was used in 41% of attacks -- up from 33% in the first quarter of 2019, according to the report. Attacks are rising quickly because people who build custom attack code sell it on the dark web. Once it is used, the coder, as well as the purchaser, can attack the targeted company.
How to respond to an island hopping cyberattack
Organizations that have become victims of island hopping attacks should respond by doing the following:
- Look at logs from the affected systems for visibility. Identify what access was gained. Once an attacker gains an initial foothold, that access can be used to eventually gain full access to the enterprise through other attacks, such as a watering hole attack.
- Assess the scope of the attack and what assets were taken.
- Monitor new accounts or changes to systems to help identify when an account has been compromised and to thwart future island hopping attacks. Be sure to include trusted third parties that have access to the enterprise network or to cloud services. Also, include the service provider so it can check its logs and systems.